COMING SOON! PQDT Open is getting a new home!

ProQuest Open Access Dissertations & Theses will remain freely available as part of a new and enhanced search experience at

Questions? Please refer to this FAQ.

Dissertation/Thesis Abstract

Analyzing and Securing Firmware for IoT Devices
by Redini, Nilo, Ph.D., University of California, Santa Barbara, 2020, 260; 28260067
Abstract (Summary)

Internet of Things (IoT) devices have rooted themselves in the everyday life of billions of people. While they automate and simplify many aspects of the users’ lives, the widespread usage of IoT devices constitutes a security concern for our modern society. Aside from the privacy and safety implications of having a smart door lock that could succumb to an Internet-based attack, or a smoke detector that an assailant could disable by connecting to it from a compromised light bulb, vulnerabilities in these devices have wider implications. Recent large-scale attacks have shown that the sheer number of Internet-connected IoT devices poses a severe threat to the Internet infrastructure. The most prominent example is represented by the Mirai botnet that, in 2016, compromised millions of devices and leveraged them in denial-of-service attacks to disrupt core Internet services and shut down websites.

For these reasons, it is of crucial importance to assess the security of IoT devices. Analyzing and securing IoT devices present different and specific challenges than analyzing and securing traditional desktop computers. The main reason is that IoT devices are manufactured by a plethora of different vendors, which often use vendor-specific hardware and software (or firmware) for their products. Given the heterogeneity and widespread usage of IoT devices, we need novel, automated, and scalable solutions able to improve the security of these devices.

During my Ph.D., I approached the problem of securing IoT devices from different angles and using different strategies, which I present in detail in this dissertation. First, I introduce the IoT landscape, with particular attention to the peculiarities that characterize embedded firmware. Then, I present in detail my work that advances the state of the art of firmware security. In particular, I present (i) BootStomp, a novel tool to find bugs in bootloaders for embedded devices, (ii) Karonte, a novel static analysis approach to track data flows across the different components of a firmware sample to precisely uncover security vulnerabilities, (iii) Bintrimmer, a tool that relies on a novel abstract domain (called Signedness-Agnostic Strided Interval) to perform code debloating on binaries, thus decreasing the attack surface that could be used by an attacker to harm end-users, and, finally, (iv) DiAne, a novel approach to fuzz IoT devices that leverages the logic of the device’s companion app (i.e., the application commonly used to interact with IoT devices). I evaluate the performance of the proposed approaches and show that the developed tools are effective in improving the security of firmware for IoT devices.

Indexing (document details)
Advisor: Vigna, Giovanni, Kruegel, Christopher
Commitee: Hardekopf, Ben
School: University of California, Santa Barbara
Department: Computer Science
School Location: United States -- California
Source: DAI-B 82/8(E), Dissertation Abstracts International
Subjects: Computer science, Information Technology, Artificial intelligence
Keywords: Firmware analysis, Firmware fuzzing, Firmware security, IoT devices, IoT security, System security
Publication Number: 28260067
ISBN: 9798582504276
Copyright © 2021 ProQuest LLC. All rights reserved. Terms and Conditions Privacy Policy Cookie Policy